On Tue, 30 Jan 2007 12:58:01 +0000, [EMAIL PROTECTED] wrote:
>Last night, a single user (or, at least, a single IP address)
>in China that self-identified as running windows98 and
>Mozilla 4.0 attempted to download sqlite-3.3.12.tar.gz
>24980 times and sqlite-source-3_3_12.zip 25044 times
>over about a 5 hour period, sucking up significant
>bandwidth in the process.
>I've seen this type of thing before and have on occasion
>banned specific IP addresses from the website using
> iptables -A INPUT -s <ipaddress> -j DROP
>But lately, there have been so many problems coming from
>win98 and moz4 that I'm thinking of banning all traffic
>that self-identifies as such in the User-Agent string of
>the HTTP header.
>Thoughts anyone? Are there less drastic measures that might
>be taken to prevent this kind of abuse?
No human could click fast enough and long enough to request
(24980 + 25044) / (5 * 60) = 166.75 downloads per minute
so it is probably safe to assume that a virus or spambot is
making the requests. As such, the putative agent identifiers
are likely faked and could be changed easily to report
something more modern. This would circumvent your trap
based on User-Agent.
I think you need to place a general limit on requests from ANY
ip address using some form of throttling in the web server.
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
